This Week in Malware—Malicious Rust crate, ‘colors’ typosquats

This Week in Malware digest was delayed by a day in light of a significant announcement on Friday from Sonatype’s CTO Brian Fox. The announcement details Sonatype’s participation in an ongoing conversation led by the Open Source Security Foundation (OpenSSF) that unites the industry, open source communities, and government officials in solving the big OSS security problem.

AWS Builder Community Hub

Speaking of the OSS security problem, let’s talk about malware incidents this week—this time hitting the Rust Package Registry

1. XOR encryption in malicious ‘rustdecimal’

This week, GitHub user Askar Safin identified a malicious Rust crate ‘rustdecimal‘ found on the registry. This package is a typosquat of the real ‘rust_decimal’ package and contains a rather elusive kind of obfuscation to download malware, as confirmed by the Sonatype security research team. The malware targets both Linux and macOS users.

The malicious ‘rustdecimal’ package has been assigned the sonatype-2022-2788 identifier in our security data. 

We saw, the authentic ‘rust_decimal’ has been downloaded over 3,478,217 times over its lifetime, and that is probably what motivates an attacker to name their malicious package after this popular crate.

Interestingly, one user reported seeing over 100,000 downloads for one version of ‘rustdecimal’ typosquat, although Rust’s security team realistically attributes most of these to bots, and states the malicious versions actually gathered fewer than 500 downloads.

Despite the malicious ‘rustdecimal’ typosquat having been removed by the Rust security team, our malware archives retained a copy of the package, allowing us to analyze the typosquat.

Analysis by Sonatype security researcher Juan Aguirre pinpointed the place in the typosquat where the malware resides.

In ‘rustdecimal’ version 1.23.1, within ‘src/ops/’ we see a cryptic array of integers within the bit_parser() function that even the most skilled developers and security analysts may easily overlook (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Ax Sharma. Read the original post at: